1. INTRODUCTION
Interested in knowing how Bluetooth Low Energy works down to the packet level? Or You want to debug your own BLE device, and spot where you are going wrong? Or you’re making a custom application for your phone that needs to talk to your BLE hardware, but you don’t know how it works? We have the right tool to help you!
The BLE Sniffer is an embedded device used to display and store BLE packets captured via CC2540 BLE sniffer. The Sniffer software parse the packets, decodes and displays them in a convenient way, with options for filtering and displaying only the relevant fields.
CC2540 USB Dongle along with Tiva board having TM4C123GH6PM microcontroller is used as the hardware platform. The packets received by CC2540 are streamed through the UART interface to the TM4C123GH6PM , which is then analysed in TM4C123GH6PM microcontroller. The processed data can be send through UART to any terminal like Hyperterminal, Minicom, Putty, etc or it can be displayed on a local LCD display (Not done now).
2. POSSIBLE SNIFFING OPTIONS
The main idea of this project is to provide an easy debug environment for custom BLE implementations. Two types of applications are possible for debugging BLE implementations. Feasibility of implementing both approaches were studied before finalizing the second approach.
1. In the first approach, the CC2540 will act as a BLE Central node and try to interrogate with the BLE peripheral, and display the status messages and data received. It also does connection establishment and data transfer.
HostTestrelease project part of sample projects provided by TI [1] along with a custom sniffer application can be used to implement this. In this case, BLE stack and profiles are implemented in CC2540 and, this communicate to the Tiva board via HCI interface over UART.
2. In the second approach, CC2540 will act as a packet sniffer and capture the BLE messages over the air. These messages will be send over uart to Tiva board. The messages will be processed and segregated at Tiva board, and the processed information will be send over uart, and can be viewed in applications like Hyperterminal in PC.
3. CHALLENGES
One of the main challenges in implementing a custom BLE sniffer is that, lower level drivers which can be used to configure the Radio in sniffer/promiscuous mode is not available in public domain. Further source code is not available for any of the available BLE sniffer’s in market(like CC2540, nRF51,etc). Hence, we have to reverse engineer the whole packet format based on BLE Core specification and the available resources regarding Smart RF sniffer application provided by TI. HCI commands can be used to communicate with the BLE module.
Also, data format document is not available for BLE sniffer firmware for UART. For the CC2540 USB dongle to send the data in UART mode, we need to use fw_sniffer_cc2540_uart.hex [2] this can be flashed to the dongle using CC debugger.
4. BLE SNIFFER PACKET DATA FORMAT
Data format can be segregated in to 3 types.
1. Advertisement Packet
2. Data Packet
3. Idle Packet
4.1. Advertisement Packet
Advertisement Packet:
PDU Header:
Advertisement Packet Types:
Refer BLE Core Specification document Section. 6.B.2.3 for further details.
4.2. Data Packet
Data Packet:
Data Packet Header:
Data Packet Types:
Refer BLE Core Specification document Section. 6.B.2.4 for further details.
4.3. Idle packet
When there is no communication, CC2540 will send an idle pattern with following format.
Packet 1: 0x01 0x01 0x00 0x00
Packet 2: 0x01 0x01 0x00 0x40
Packet 3: 0x01 0x01 0x00 0x80
Packet 4: 0x01 0x01 0x00 0xC0
This pattern will be repeated in round robin scheme during idle time.
5. APPLICATION
In order to receive the BLE packets through UART, “fw_sniffer_cc2540_uart.hex” needs to be flashed to the CC2540 USB dongle. The custom application is built in C using CC Studio for Tiva board. Tiva board will receive the BLE data over UART and will be parsed to different fields as per Bluetooth Core specification. Also, specific information like devices available, RSSI , etc will be compiled and displayed for the user.
The options available in the current implementation are:
Packet presentation (Continuos capture mode) Show all raw packets Show all packets with detailed analysis view Show only advertisement packets Show only data communication packets Show advertising packets of selected type Show data communication packets of selected type Show Packets with select MAC or Access Address Show all Nodes Show all Advertisers Show all Connections Show RSSI of all advertisers Show channel usage (packets communicated in each channel)
6. FUTURE SCOPE
1. Handheld BLE Sniffer with Display and SD Card interface
Additional to CC2540 dongle, Tiva board can be interfaced to Kentec display and SD card reader. Along with a battery power pack, the whole setup can work as a handheld packet sniffer.
2. BLE Interrogator Cum packet Sniffer
By interfacing one more CC2540 module to act as a BLE Central and Peripheral Node, we can extend the capability of debugging BLE packets. The second CC2540 module can generate BLE advertisement packets or BLE data transfer, where as the other CC2540 module can sniff the packets and process them and provide the user with relevant information.
7. REFERENCES
CC2540 Datasheets and Other documents
8. USEFUL SOFTWARES
1. Smart RF Packet Sniffer- TI
2. Smart RF Flash Programmer- TI
3. IAR Embedded Workbench for 8051 v8.20
Note: BLE-CC254x-1.4.0 is compatible with IAR Workbench Ver.8.20 only. As there are compatibility issues, please avoid using latest versions.
Recent Comments